Welcome to the first Enforcement Actions Roundup – a monthly post where our regulatory experts comb through recent enforcement actions to tell you what went wrong for the institution and how your institution can stay out of trouble. 

The Enforcement Actions Roundup includes two key elements:  

1. The Enforcement Actions Tracker keeps a running total of enforcement actions by agency – keeping a tally of enforcement actions broken down by both overall category and individual topics addressed by each enforcement action. This makes it easy to pick out enforcement trends and hot topics. 
     
2. The Enforcement Deep Dive reviews each enforcement action to understand what happened, key takeaways and controls you should review at your institution to avoid making the same mistake. 

Let’s dive in. 

2025 Enforcement Actions Tracker 

Please note that a single enforcement action may be included under multiple topics.  

Enforcement Action Deep Dive: January 2025  

CFPB Enforcement Actions

CFPB Sues Lender Over Faulty Ability-to-Repay Practices 

• Category: Lending Compliance
• Topic: Underwriting  
• Products and Services: Manufactured Homes
• Institution Type: Mortgage Company 
• Regulation: 12 CFR 1026
• Enforcement Action
• Related Guidance: CFPB Truth in Lending Act (TILA) Examination Procedures 

The CFPB sued a non-bank manufactured-home-financing company for violating Regulation Z by originating loans without a reasonable, good-faith determination of borrowers' ability to repay. The agency alleges the company used unrealistically low living expense estimates—half the average self-reported expenses—while ignoring clear signs that borrowers couldn’t afford their loans. As a result, some borrowers fell behind on payments, incurring fees, penalties, and repossession.

Takeaways

Regulation Z requires lenders to make a reasonable, good-faith determination of a borrower’s ability to repay. This assessment must consider multiple factors, including expected income/assets, employment, monthly payments, other debts, and debt-to-income ratio or residual income. Payment obligations must reflect reasonable living expenses—while these vary by borrower, regulators scrutinize deviations from norms without supporting evidence. 

Controls to Evaluate

1. Underwriting Policies & Procedures: Written policies and procedures consider the consumer's ability to make the required minimum payments under the account terms based on a consumer's income or assets and the consumer's current obligations. Reasonable policies and procedures include verification of income and assets (verified by a reliable third party, e.g., W-2s, tax returns, bank statements), verification of employment, review of credit history, calculation of debt-to-income ratios, evaluation that the monthly payment of the new loan is accurately calculated and within the borrower's ability to repay and consideration of other obligations.
2. Secondary Review Process: Loan Operations has a secondary review process that includes reviewing the ability to repay calculations completed during the underwriting and approval process prior to loan documents being executed.
3. Compliance Oversight: The Compliance Management process includes a periodic compliance review with Regulation Z, including the ability to repay requirements. Review reports are communicated to senior management, relevant business units, and the Board. Reports include a management response to findings and an action plan for addressing any identified issues, with follow-up reviews scheduled to ensure proper implementation or corrective measures.

CFPB Fines Mobile Payment App for UDAAP Violations 

• Category: Governance, Risk, and Compliance (GRC)
• Topic: UDAAP; Advertising  
• Products and Services: Deposits
• Institution Type: National Bank 
• Regulation: 12 CFR 1030; 12 USC § 5531
• Enforcement Action 
• Related Guidance: CFPB Examination Manual: Part II - Examination Procedures - Statutory and Regulation-Based Procedures - Truth in Savings Act (TISA) 

The CFPB sued a national bank for deceptive marketing of its flagship high-interest savings account. From 2013 to 2019, the bank promoted the account as offering one of the nation’s best rates, yet the interest rate hovered around 0.30%. Meanwhile, the bank introduced a new savings account with a much higher rate (~4.25%) but failed to notify or convert existing customers — continuing to misrepresent the original account as its premier high-interest option. The CFPB claims this misled consumers, causing them to lose out on more than $23 billion in interest payments. 

Takeaways 

The CFPB has long focused on deceptive and abusive acts (UDAAPs), particularly in marketing. To avoid UDAAP violations, financial institutions should: 

• Assess risks when launching new products—especially in comparison to existing offerings. 
• Ensure transparency in marketing materials so consumers understand product terms and are informed of better alternatives. 
• Conduct market research before advertising to avoid misleading claims like having the “best” rate—terms like “competitive” rates may be safer. 

Controls to Evaluate

1. New Product Risk Assessment: The New Product Risk Assessment process includes evaluating UDAAP and other compliance-related risks when designing and implementing new products, including pricing and marketing-related risks. In addition, it includes identifying mitigating controls prior to implementing any new products or services.
2. Marketing Compliance Policies: Marketing policies and procedures are in place and reviewed periodically. Roles and responsibilities are clearly defined, and policies and procedures are communicated to all staff. Procedures include requiring the Compliance Department to review and approve all marketing materials (print, social media, blogs, etc.) prior to publication to ensure all regulatory requirements have been met.
3. Ongoing Compliance Reviews: The Compliance Management process includes a periodic review of new and existing accounts to ensure compliance with Truth in Savings (Regulation DD) requirements, UDAAP, and other regulatory requirements. Review reports are communicated to senior management, relevant business units, and the Board. Reports include a management response to findings and an action plan for addressing any identified issues, with follow-up reviews scheduled to ensure proper implementation or corrective measures. 

CFPB Fines Mobile Payment App for UDAAP Violations

• Category: Governance, Risk, and Compliance (GRC)
• Topic: UDAAP; Electronic Funds Transfers 
• Products and Services: Peer-to-Peer Transfers; Prepaid Cards
• Institution Type: FinTech 
• Regulation: 12 CFR 1005; 12 USC §5531; 12 USC §5536
• Enforcement Action
• Related Guidance: CFPB Supervision and Examination Manual; Supervisory Highlights, Issue 26, Spring 2022 

The CFPB issued an order against a mobile payment app operator for failing to provide effective customer service, violating the unfairness prong of UDAAP. The agency found that the operator denied provisional credit for unauthorized transactions, despite investigations often exceeding 10 business days. Additionally, the company failed to conduct reasonable error resolution investigations, neglecting to review relevant records. The operator must pay $75 million in consumer redress and $55 million in civil penalties. 

To prevent future violations, the company must establish live customer service, provide clear notifications when accounts are restricted, implement fraud prevention measures, and retain compliance records for at least two years. 

Takeaways

This case highlights two major issues. First, the failure to follow EFTA error resolution requirements. Institutions receiving an error notice must investigate and determine whether an error occurred within 10 business days. If more time is needed (up to 45 days), they must provide provisional credit to protect consumers while the investigation is ongoing.  

Second, inadequate customer service violated UDAAP’s unfairness standard, which prohibits practices that cause substantial injury to consumers, are not reasonably avoidable, and are not outweighed by benefits to consumers or competition. Failure to provide timely responses to error notifications and account restrictions signals to regulators that an institution is unwilling to assist consumers. 

Controls to Evaluate

1. Fraud Prevention Policies: Fraud Prevention policies and procedures are in place and are reviewed periodically. Roles and responsibilities are clearly defined, and policies and procedures are communicated to all staff. Procedures are comprehensive and include but are not limited to a) how to identify and mitigate risk associated with fraudulent transactions; b) safeguard measures for monitoring and detecting suspicious transactions and verification process to confirm the legitimacy of transactions; c) process for investigating and addressing suspected fraud; d) customer notification, including any decision on account restrictions, limited account functionality, and access to fund; d) management and committee reporting requirements; and e) ongoing assessment of emerging fraud trends and implementation of additional controls to mitigate fraud as needed.
2. EFTA & Regulation E Compliance Policies: EFTA, Regulation E policies and procedures are in place and are reviewed periodically. Roles and responsibilities are clearly defined, and policies and procedures are communicated to all staff. Procedures include but are not limited to a) disclosure requirements (including combined disclosure options); b) detailed requirements about pre-payment disclosures; c) error resolution; d) consumer liability; e) cancellation and refunds; f) preauthorized transfers; g) transfers scheduled before the date of transfer; h) record retention; i) periodic statements; and remittance transfers.
3. Customer Support Accessibility: Customer notices and disclosures, applications, and websites inform customers that a live 24-hour call service is available; this includes information on how clients can access the call center, such as a phone number and email address.
4. Record Retention Program: The Record Retention Policy/Program is written to ensure compliance with all regulatory requirements, including those for every department within the organization.

CFPB Sues Mortgage Company for Redlining

• Category: Lending Compliance
• Topic: Fair Lending; Advertising  
• Products and Services: Mortgage Lending
• Institution Type: Mortgage Company 
• Regulation: 12 CFR 1002; 12 USC § 5536
• Enforcement Action 
• Related Guidance: Examination Manual: Part II - Examination Procedures - Statutory and Regulation-Based Procedures - Equal Credit Opportunity Act (ECOA) 

The CFPB has filed a complaint against a non-depository mortgage company for allegedly redlining majority-Black and Hispanic neighborhoods in Chicago and Boston, violating the Equal Credit Opportunity Act (ECOA). The agency also accuses the company of discouraging credit applications based on race, color, and national origin. 

From 2019 to 2021, the company operated exclusively in majority-white neighborhoods, focused its marketing there, and avoided outreach to communities of color. The complaint also reveals racist emails from loan officers and failures in internal controls to prevent redlining. 

If the court orders remediation, the company may be required to open offices in communities of color, conduct targeted marketing and outreach, hire a director of community lending, provide fair lending training for employees. 

Takeaways

The DOJ, CFPB, and other agencies have been a formidable force when it comes to fairing lending, specifically redlining. The DOJ’s combating redlining initiative has secured over $150 million in relief through 16 different enforcement actions since its inception in 2021. Additionally, the CFPB’s Fair Lending Report to Congress for 2024 highlighted the agency’s focus on detecting and remedying redlining, discouragement, and other forms of discrimination in the mortgage market. A recent ruling clarified that discrimination applies to both applicants and prospective applicants, reinforcing the need for a fair lending review across marketing, advertising, and solicitation.  

Controls to Evaluate

1. Fair Lending Audits: The fair lending self-assessment program includes traditional monitoring and audit processes, where the audit evaluates performance concerning the institution’s policy and the fair lending laws and regulations. Fair Lending audits determine if the nature and quality of controls ensure effective and consistent processes, include well-considered policies and procedures, fair lending training, and monitoring is conducted on a frequency needed to provide reasonable assurance that the program complies with company policy and fair lending laws and regulations.
2. Training: All relevant employees receive ongoing, regular, and targeted training. Documentation of all training is maintained. All employees, officers, and board members must complete basic training courses; other training pertinent to job duties/responsibilities (including fair lending) is assigned to ensure compliance with all regulatory, legal, and safety/soundness requirements. Training is monitored and managed to ensure and enforce compliance with training requirements.
3. Redlining Analysis: A redlining analysis is performed quarterly to ensure there are no signs of redlining. Redlining analysis review reports are communicated to senior management, relevant business units, appropriate committees, and the Board. Reports include a management response to findings and an action plan for addressing any identified issues.
   

CFPB Fines Remittance Provider for Deceptive Fee Disclosures 

• Category: Governance, Risk, and Compliance
• Topic: UDAAP; Advertising 
• Products and Services: Remittance Transfers; ATMs
• Institution Type: FinTech 
• Regulation: 12 USC §5531; 12 USC § 5536; 12 CFR 1005
• Enforcement Action 
• Related Guidance: Examination Manual: Part II- Examination Procedures- Product Based Procedures – Remittance Transfer; Plain Language Summary of the Remittance Transfer Rule; Deceptive Marketing Practices About the Speed or Cost of Sending a Remittance Transfer (Circular 2024-02) 

The CFPB issued an order against a remittance transfer provider for deceptive practices, citing violations of the Consumer Financial Protection Act. The provider misrepresented ATM fees and charges, raised fees on a prepaid account without properly disclosing them, and failed to accurately disclose exchange rates. The agency also found violations of the Electronic Fund Transfer Act (EFTA), including failure to refund fees when funds were delayed and inadequate error resolution policies. The provider must pay $450,000 to affected consumers and over $2 million to the CFPB’s victims relief fund. 

Takeaways

Failing to comply with error resolution requirements is a common violation of the remittance rule. The rule mandates that providers disclose exchange rates, company-collected fees and taxes, charges from foreign agents and intermediaries, the expected delivery amount, and, if applicable, a disclaimer about potential additional fees and foreign taxes. To prevent compliance deficiencies, institutions should maintain written policies and procedures that ensure adherence to error resolution requirements, including proper documentation retention for investigations. 

Controls to Evaluate

1. Documented, Effective Compliance Management System: The Compliance Management System ensures compliance with all applicable state and federal laws and regulations. The program is well-documented and reviewed periodically. The program includes active tracking of emerging, new, and changed regulations. The program consists of requirements for appropriate staffing within the Compliance Department and training for all employees, agents, management, and the Board. The CMS also assists in avoiding unfair, deceptive, or abusive practices. The CMS includes (a) policies and procedures; (b) monitoring, testing, and audit procedures; (c) board and management oversight and reporting; (d) change management; and (e) identification and management of risks.
2. Training: Ongoing, regular, and targeted training is provided to all relevant employees. Documentation is maintained regarding all training. All employees, officers, and board members are required to complete basic training courses and other training pertinent to job duties/responsibilities (including EFTA, Regulation E, and remittance transfers)) are assigned to ensure compliance with all regulatory, legal, and safety/soundness requirements. Training is monitored and managed to ensure and enforce compliance with training requirements.
3. EFTA, Regulation E Policies and Procedures: EFTA, Regulation E policies and procedures are in place and are reviewed periodically. Roles and responsibilities are clearly defined, and policies and procedures are communicated to all staff. Procedures include but are not limited to a) disclosure requirements (including combined disclosure options); b) detailed requirements about pre-payment disclosures; c) error resolution; d) consumer liability; e) cancellation and refunds; f) preauthorized transfers; g) transfers scheduled before the date of transfer; h) record retention; i) periodic statements; and remittance transfers.
4. Marketing Policies and Procedures: Marketing policies and procedures are in place and reviewed periodically. Roles and responsibilities are clearly defined, and policies and procedures are communicated to all staff. Procedures include requiring the Compliance Department to review and approve all marketing materials (print, social media, blogs, etc.) prior to publication to ensure all regulatory requirements have been met.

OCC Enforcement Actions

OCC Issues Cease and Desist Order Over BSA Compliance Failures

• Category: Governance, Risk, and Compliance
• Topic: AML/CFT 
• Products and Services: N/A
• Institution Type: Bank 
• Regulation: 12 CFR 21; 31 CFR 1020
• Enforcement Action 
• Related Guidance: FFIEC BSA/AML Introduction - Introduction  

The OCC issued a cease and desist against a bank for failing to develop and maintain a reasonably designed Bank Secrecy Act (BSA) compliance program. The institution’s program had deficient internal controls, anti-money laundering/countering the financing of terrorism (AML/CFT) Officer, independent testing, and training components. This led to a breakdown of policies to identify, evaluate, and report suspicious activity and ensure an effective transaction monitoring system. 

The bank must appoint a Compliance Committee to oversee compliance with the Bank Secrecy Act, specifically to:  

1. Review BSA and Sanctions Compliance Programs, including any gaps in or deficiencies in all three lines of defense; 
2. Adopt a written suspicious activity monitoring and reporting program to ensure the timely and appropriate identification, review, and disposition of unusual activity and the filing of suspicious activity reports (SARs);   
3. Establish a written report on suspicious activity monitoring, investigation, decisioning, and reporting; 
4. Develop and maintain a written Customer Due Diligence (CDD) program to ensure appropriate collection and analysis of customer information; 
5. Develop, implement, and maintain a written BSA Risk Assessment methodology that reflects a comprehensive analysis and documentation of the Bank’s money laundering and, terrorist financing, and other illicit financial activity risks. The institution must also develop, implement, and maintain a written Sanctions Risk Assessment that reflects a comprehensive analysis and documentation of the Bank’s sanctions risks; and 
6. Evaluate the BSA and Sanctions risks posed by any new or expanded products or services before offering, as required by the cease and desist. 

Takeaways 

AML/CFT violations are a top supervisory priority. In addition to the common SAR and internal control deficiencies, banks often have insufficient risk assessments. Reviewing risk assessments periodically is a best practice, including identification of specific risk categories, assessment of affiliate relationships and shared services, assessment of the adequacy of internal controls designed to address the risks identified, and identification of the bank's residual risk profile.

The focus on adequate risk assessments will only grow in the future, illustrated by FinCEN’s proposal to strengthen and modernize AML/CFT programs. The proposed rule requires a dynamic, mandatory risk assessment process to ensure AML/CFT risk adapts to internal and external changes. It is essential that your institution understands significant risks and accounts for them under a risk-based regulatory and supervisory approach.  

Controls to Evaluate

1. Comprehensive AML/CFT Program: A comprehensive Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) Compliance Program is in place. The program includes robust policies, procedures, and internal controls to detect, prevent, and report money laundering and terrorist financing activities. Key components of the program are a risk-based Customer Due Diligence (CDD) process, including a Customer Identification Program (CIP) and ongoing monitoring of customer transactions. The program also includes suspicious activity monitoring and reporting mechanisms, ensuring timely identification, review, and filing of Suspicious Activity Reports (SARs) with the appropriate authorities, and a sanctions compliance framework to prevent dealings with sanctioned individuals, entities, and countries. All aspects of the AML/CFT Program are well documented and regularly reviewed and updated to address emerging risks and regulatory changes.
2. AML/CFT Risk Assessments: Comprehensive Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) risk assessments are conducted regularly. The risk assessment is performed at least annually and whenever significant changes in the business environment, regulatory changes, or operations occur. The risk assessment methodology includes an analysis of money laundering risk (customer, product and services, geographic and transaction risk), terrorist financing (customer relationships, transaction patterns, geopolitical factors), other illicit financial risk (fraud, corruption, tax evasion) and sanctions risk (individuals and entities, countries, screening processes). The risk assessment process is documented and includes any findings and actions taken to mitigate identified risks. The risk assessment results are reported to senior management and the Board.
3. New Product Risk Assessments: The New Product Risk Assessment process includes evaluating AML/CFT and other compliance-related risks when designing and implementing new products, including sanction-related risks. In addition, it includes identifying mitigating controls prior to implementing any new products or services.

Ready to take your compliance management strategy to the next level? 

Learn the key components to look for in a compliance management solution in our Buyer's Guide.